← Back to team overview

dhis2-devs team mailing list archive

Re: IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.

 

Thanks JP for the feedback.  If you are using dhis2-tools you can upgrade
to the latest stable when you get the chance with:

dhis2-deploy-war <your instance name>

But its always good to have ufw enabled anyway to provide some strength in
depth and protect against mistakes, misconfigurations etc


On 2 September 2014 09:48, J. Paul Mutali <mutali@xxxxxxxxx> wrote:

> My testing environment was vulnerable to this and I confirm UFW temporally
> solved the issue. I m running 2.16
>
> regards
>
> JPaul Mutali
>
>
> On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering <
> jason.p.pickering@xxxxxxxxx> wrote:
>
>> A potentially serious vulnerability of DHIS2 has been discovered by
>> members of the core development team this afternoon (2014-09-01).
>> The development team is working on a permanent solution for this, but in
>> the meantime, all users of DHIS2 are advised to review their system for
>> potential vulnerabilities.
>>
>> *Potentially affected versions: *
>>   All version of DHIS2 2.16 and any version of trunk, from revision 15124
>> and up.
>>
>> *Vulnerability Details: *
>> Hazelcast is a component of DHIS2 used to provide caching. By default,
>> Hazelcast will open a port (5701) on the machine which is running DHIS2.
>> The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster
>> API may expose critical information about the system, including network
>> information and other runtime data.  It is not currently known to what
>> extent the information contained inside of DHIS2 might be exposed through
>> this vulnerability.
>>
>>
>> *Risk: *
>> When running DHIS2 on a network that's directly attached to the Internet
>> or other unsecured network, an attacker may access and inject critical
>> information into the Hazelcast component. The exposed API could be used to
>> influence systems availability by injecting arbitrary into the DHIS2
>> caching system.
>>
>> *Steps to confirm if your server is vulnerable:*
>>
>> Replace "server" with your IP address or  the name of your server and
>> attempt to access the resulting address through your web browser
>>
>>  http://server:5701/hazelcast/rest/cluster/
>>
>>
>> Affected versions of DHIS2 will show something like the response below.
>>
>> Members [1] {
>> Member [XXX.XXX.XXX.XX]:5701 this
>> }
>>
>> ConnectionCount: 4
>> AllConnectionCount: 5
>>
>>
>> If you see any response, even different from this one, your DHIS2 server
>> is vulnerable, and should be upgraded immediately.
>>
>>
>> *Mitigation: *
>>
>> If you are running DHIS 2.15 or lower, do not upgrade at this point,
>> until advised otherwise. Further testing of the solution will need to be
>> confirmed.
>>
>>
>> If you are running DHIS2 version 2.16 or higher, or any version of trunk
>> past revision 15124, or any branch of trunk including revision 15124 and
>> up, you should immediately use a software based firewall to block all
>> non-localhost traffic on port 5701. The package UFW is a simple firewall,
>> which can be easily installed and enable as below
>>
>>
>> sudo apt-get install ufw (only if you have not installed this package
>> previously)
>> sudo ufw allow 22  (change this if need be to whatever port your ssh is
>> listening on)
>> sudo ufw allow 80
>> sudo ufw allow 443
>> sudo ufw enable
>>
>> Additionally, you should immediately upgrade your DHIS2 server software
>> version to at least the following revisions.
>>
>>
>> *Trunk: Revision 166032.16: 16386*
>>
>> The core development team will communicate further on this issues, once
>> we have had time to determine the extent of the problem, as well as to
>> confirm a final fix. If you have any questions about this mail, please do
>> not hesitate to ask!
>>
>>
>> Best regards,
>> Jason Pickering
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

References